The SSC recently announced that the latest PCI DSS revision release would be moved up. Instead of being released in November on the three-year cycle, as it has been in the past, revisions will now come out much faster and more regularly.
Why the New Update Release Time Frame?
According to PCI Security Standards Council Chief Technology Officer Troy Leach, the PCI DSS has reached a level of maturity that doesn’t need substantial updates anymore. Instead, smaller modifications will be released more regularly to adapt to the threats of today. The new update, PCI DSS 3.2, was released in April 2016. This update replaces the regular update scheduled for November 2016.
The implications of the changed update release timeline are twofold. On one hand, this will mean that companies won’t have to completely uproot their systems on the three-year timeframe as they may have had to before for compliance. With the new method of regularly releasing tweaks based on current threats, companies can take a more active approach to compliance and adapt regularly to the changing landscape.
What’s New with PCI DSS 3.2?
In a press release from April 28, the PCI SSC outlines the key changes in the latest update to address trends in data breaches that are driving these modifications to the standards of payment security around the world.
- Requirement 8.3 has been expanded to include the use of multi-factor authentication for those administrators who have access to cardholder data.
- Security validation steps have been added for service providers and others.
- The “Designated Entities Supplemental Validation” (DESV) criteria have been added to the PCI DSS 3.2 official document. They were previously a separate document.
- Requirements 10.8 and 10.8.1 state that service providers are now responsible for detecting and reporting on the failures of critical security control systems.
- Requirement 18.104.22.168 states that service providers are now responsible for performing a penetration test on segmentation controls twice a year at six-month intervals.
Companies would do well to adopt the new standards set forth by the new requirements as soon as possible, according to Troy Leach in a recent interview. The new standards are designed to help prevent, identify, and respond to cyber-attacks, so following them is the best way to keep customer data safe.
That being said, version 3.1 of the PCI DSS doesn’t officially expire until October 31, 2016, so there’s time for companies to finish their annual assessment cycles with the old standards. Until the new version officially comes into effect in February 2018, the PCI DSS 3.2 represents the best practices.